From 5f5976049b2070c5880676fcf616f5458f9fe14b Mon Sep 17 00:00:00 2001 From: Zac Bergquist Date: Wed, 11 Dec 2024 13:35:00 -0700 Subject: [PATCH] Explicitly set the session cookie to SameSite=Lax Prior to this change, we were not explicitly setting the SameSite mode for our session cookie, which leaves the behavior up to the browser. Chromium-based browsers have been defaulting to SameSite=Lax since Chrome 80 in February 2020, so this is not a behavior change but rather locking in today's behavior and being explicit about it. Note that this is for Teleport's session cookie only. App session cookies remain using SameSite=None because the proxied app may itself be using SSO, and we need the app session cookie to make its way through SSO redirects. --- lib/web/session/cookie.go | 2 ++ lib/web/session/cookie_test.go | 4 ++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/lib/web/session/cookie.go b/lib/web/session/cookie.go index f7d8712ee2016..df9bb4b538a6b 100644 --- a/lib/web/session/cookie.go +++ b/lib/web/session/cookie.go @@ -67,6 +67,7 @@ func SetCookie(w http.ResponseWriter, user, sid string) error { Path: "/", HttpOnly: true, Secure: true, + SameSite: http.SameSiteLaxMode, } http.SetCookie(w, c) return nil @@ -80,6 +81,7 @@ func ClearCookie(w http.ResponseWriter) { Path: "/", HttpOnly: true, Secure: true, + SameSite: http.SameSiteLaxMode, }) } diff --git a/lib/web/session/cookie_test.go b/lib/web/session/cookie_test.go index 12c4221d6243a..8f7d685033cfe 100644 --- a/lib/web/session/cookie_test.go +++ b/lib/web/session/cookie_test.go @@ -48,7 +48,7 @@ func TestCookies(t *testing.T) { require.Len(t, setCookies, 2) // SetCookie will store the encoded session in the cookie - require.Equal(t, "__Host-session=7b2275736572223a226c6c616d61222c22736964223a223938373635227d; Path=/; HttpOnly; Secure", setCookies[0]) + require.Equal(t, "__Host-session=7b2275736572223a226c6c616d61222c22736964223a223938373635227d; Path=/; HttpOnly; Secure; SameSite=Lax", setCookies[0]) // ClearCookie will add an entry with the cookie value cleared out - require.Equal(t, "__Host-session=; Path=/; HttpOnly; Secure", setCookies[1]) + require.Equal(t, "__Host-session=; Path=/; HttpOnly; Secure; SameSite=Lax", setCookies[1]) }